Hey everyone! I've got a couple of user authentication questions that I hope aren't too basic:
1) For a mobile app, website, or web app, can we use:
A) A cookie-based stateless approach for authentication without including a token like JWT in the cookie?
B) A token-based stateful approach without involving cookies at all?
2) I came across the term "machine to machine authentication" while learning about user authentication. Is this the same as API to API authentication? Or does it refer to something like website to API communication without user authentication?
Thanks a ton for your help!
1 Answer
"Machine to machine authentication" is about verifying the identity of the machine sending the request. Yes, it can apply to API to API interactions, but it also covers scenarios like a trusted client app on corporate devices. For instance, in my work, we use Microsoft Entra Conditional Access to ensure that devices are enrolled in Intune, and we implement Mutual TLS for secure device authentication. This means we get authentication at both the device level and user level (username + password + MFA). It’s pretty robust!
Thanks for the detailed explanation! You've clarified a lot. I have a few follow-up questions:
- Why is token-based authentication said to require public key infrastructure for security, while session-based authentication does not?
- If both use HTTPS, which provides public key infrastructure, why does token-based auth also need its own implementation of public keys?
- Are there any other types of authentication methods beyond user and machine to machine auth, and do they still use similar foundational methods?